Scribefully

Scribefully—•

Privacy Policy

Effective Date: February 25, 2026 · Last Updated: February 25, 2026

1. Introduction

This Privacy Policy describes how Scribefully ("we," "us," or "our") collects, uses, and protects information when you use our professional portfolio and content discovery platform ("Service"). This Service is operated by an individual based in California.

We do not sell, rent, or trade your personal information to third parties. We never have, and we never will.

This Privacy Policy should be read in conjunction with our Terms of Service, which governs your use of the platform.

2. Definitions

  • "Service" refers to the Scribefully web application located at scribefully.com and all related features, tools, and services.
  • "Personal Information" means any information that identifies, relates to, or could reasonably be linked to you or your household.
  • "Processing" means any operation performed on Personal Information, whether automated or manual.
  • "You" and "Your" refer to the individual accessing or using the Service.
  • "We," "Us," and "Our" refer to Scribefully.

3. Information We Collect

3.1 Personal Information (Account Users)

  • Email address (required for account creation)
  • First name and last name (for professional attribution)
  • Password (hashed and never stored in plaintext)
  • Profile photos/avatars (optional)
  • Bio text (optional, up to 500 characters)
  • Professional headline (optional, up to 120 characters)
  • Content visibility preferences (controls whether your content is publicly visible or private to you; note: virtual portfolio claims default to public visibility)

3.2 Information You Provide Directly

  • URLs you submit to the Service
  • Voting activity (upvotes and downvotes on submissions)
  • Authorship claims
  • Comments you post on article pages (up to 2,000 characters)
  • Comment deletion actions
  • Profile photos/avatars you upload to your account

3.3 Information Collected Automatically

  • IP addresses (immediately hashed with salt for privacy protection)
  • Browser type and version
  • Device information and operating system
  • User agent strings (browser/device information)
  • Access times and dates
  • Timestamps (account creation, submissions, votes)
  • Pages viewed and features used via PostHog analytics
  • User behavior analytics (clicks, scrolls, time on page)
  • Referring website addresses
  • Session data (authentication tokens)

3.4 Beta Testing Feedback

  • Voluntary feedback provided through our feedback collection system
  • Bug reports and feature suggestions
  • User experience feedback and recommendations
  • Contact information if provided in feedback forms

3.5 Analytics and Tracking

We use PostHog for product analytics to understand how users interact with our Service. PostHog collects:

  • Page views and navigation paths
  • Feature usage and interaction patterns
  • Session recordings (anonymized)
  • Custom events (submissions, votes, claims)
  • Device and browser information

PostHog data is stored on servers in the United States. You can opt out of PostHog tracking by enabling "Do Not Track" in your browser settings.

3.6 Curated Virtual Portfolio Data

When Scribefully creates virtual portfolios for content curation:

  • Temporary placeholder emails for system management
  • Publicly available professional information (name, bio, headline)
  • URLs to publicly published content
  • Basic contact information for notification purposes
  • IP addresses and timestamps during the claiming process
  • All data is derived from publicly available sources or provided during the claiming process

4. How We Use Your Information

4.1 Core Functionality

  • Professional attribution (displaying "by [First Name Last Name]")
  • Operate, maintain, and improve the Service
  • Process URL submissions and voting
  • User authentication and session management
  • Display and manage comments on article pages
  • Link comment authors to their portfolio pages

4.2 Anti-Abuse Measures

  • Prevent spam, abuse, and manipulation through rate limiting and anti-fraud measures
  • IP-based restrictions on submissions/votes
  • Duplicate prevention
  • Vote manipulation prevention
  • Comment rate limiting to prevent spam

4.3 Platform Improvement

  • Process voluntary feedback to improve the platform
  • Analyze usage patterns to enhance user experience
  • Identify and fix bugs reported by users
  • Develop new features based on user suggestions

4.4 Communications and Other Uses

  • Ensure Service security and prevent unauthorized access
  • Comply with legal obligations
  • Communicate about Service changes or important updates
  • Send transactional emails via Resend (comment notifications, vote milestones)
  • Analyze platform usage through PostHog to improve features and user experience

5. Cookies and Tracking Technologies

5.1 Essential Cookies

These cookies are required for the Service to function and cannot be disabled.

  • Supabase authentication cookies: Maintain your login session and authentication state. These are set when you sign in and expire when you log out or after a period of inactivity.
  • Pending claim storage (localStorage): Temporarily stores authorship claim data during the signup flow so your claim can be processed after account creation.

5.2 Analytics Cookies

These cookies help us understand how users interact with the Service.

  • PostHog analytics: Collects anonymized usage data including page views, feature interactions, and session recordings. Data is stored in the United States. You can opt out by enabling "Do Not Track" in your browser.

5.3 Preference Cookies

These cookies remember your settings and preferences.

  • Theme preference (localStorage): Stores your dark/light mode setting so it persists across visits.
  • GDPR consent (localStorage): Records whether you have acknowledged our cookie/privacy notice.
  • Onboarding and announcement state (localStorage): Tracks whether you have seen platform onboarding or announcements so they are not repeated.

5.4 What We Do Not Use

  • No advertising cookies or ad-tracking pixels
  • No cross-site tracking for advertising purposes
  • No social media tracking pixels (Facebook Pixel, etc.)
  • No third-party marketing cookies

5.5 Managing Cookies

You can manage cookies through your browser settings. Most browsers allow you to block or delete cookies. However, blocking essential cookies may prevent you from using certain features of the Service, such as logging in. To opt out of analytics cookies specifically, enable "Do Not Track" in your browser settings.

6. Data Storage and Security

6.1 Data Location

All data is stored and processed in the United States. Our database is hosted by Supabase (PostgreSQL) and our application is hosted by Render, both of which maintain data centers in the United States.

6.2 Security Measures

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS)
  • Encryption at rest: Database data is encrypted at rest using AES-256 encryption via Supabase infrastructure
  • Password hashing via Supabase security protocols (bcrypt)
  • IP address anonymization through hashing with salt
  • Database security through Supabase Row Level Security policies
  • Row Level Security ensuring users can only delete their own comments
  • Metadata removal from uploaded profile images
  • Limited access to information on a need-to-know basis
  • Regular security assessments and vulnerability scanning

6.3 No Sensitive Data

  • No payment information
  • No government IDs or social security numbers
  • No biometric data
  • No location tracking beyond IP geolocation for spam prevention

6.4 Security Limitations

No method of internet transmission or electronic storage is completely secure. While we strive to use commercially acceptable means to protect your Personal Information, we cannot guarantee its absolute security.

7. Information Sharing and Disclosure

We do not sell, trade, or rent your Personal Information to third parties.

We may share information only in these limited circumstances:

  • Service Providers: With trusted sub-processors who assist in operating the Service (see Section 8 below), solely for the purposes described in this policy
  • Legal Requirements: When required by law, court order, or government request
  • Safety and Security: To protect our rights, property, safety, or that of users or the public
  • Business Transfers: In connection with a merger, acquisition, or sale of assets, in which case we will notify affected users before Personal Information is transferred and becomes subject to a different privacy policy

8. Sub-Processors

The following third-party services process data on our behalf to operate the Service:

ServicePurposeData ProcessedLocation
SupabaseDatabase, authenticationAll user data, submissions, votes, commentsUnited States
RenderApplication hostingApplication logs, server access logsUnited States
ResendTransactional emailEmail addresses, message contentUnited States
PostHogProduct analyticsUsage data, feature interactions, anonymized sessionsUnited States
Google FontsTypography (Inter, Dancing Script)IP address, browser info (per Google's policy)Global (Google CDN)

Each sub-processor is contractually obligated to protect your data and may only process it for the specific purposes described above.

9. Data Retention

We retain information only as long as necessary to:

  • Provide the Service
  • Comply with legal obligations
  • Resolve disputes
  • Enforce our Terms of Service

Specific Retention Periods

  • Active accounts: Retained for the duration of your account
  • Deleted accounts: Personal data permanently removed upon deletion request; some anonymized data may be retained for platform integrity
  • Content submissions: Retained indefinitely for platform value (attribution removed upon account deletion)
  • Vote data: Retained for spam prevention and platform integrity
  • Comments: Stored indefinitely unless deleted by you or an administrator
  • Server logs: Retained for approximately 90 days per hosting provider policies
  • Analytics data: Retained indefinitely in anonymized/aggregated form
  • IP addresses: Hashed immediately and not stored in personally identifiable form
  • Profile photos: Permanently deleted when you remove them or delete your account

10. Your Privacy Rights

Regardless of your location, you have the following rights regarding your Personal Information:

10.1 Access and Portability

  • View all your submitted content via your account
  • Access your profile information
  • Request a copy of all Personal Information we hold about you

10.2 Correction and Modification

  • Update profile information (first name, last name)
  • Change email address and password
  • Upload, replace, or remove your profile photo
  • Update bio and professional headline information
  • Change content visibility settings (toggle between public and private; claimed virtual portfolios default to public)
  • Note: Submissions cannot be edited after posting

10.3 Deletion

  • Request account deletion by contacting us
  • Submitted content remains but attribution is removed
  • Vote history may be retained in anonymized form for platform integrity
  • Profile photos are permanently deleted when you delete your account or manually remove them
  • Comments are permanently deleted upon account deletion

10.4 Public Information

  • Comments you post are publicly visible to all site visitors
  • Your real first and last name is displayed with each comment
  • Comment author names link to public portfolio pages
  • Even if you delete a comment, it may have been viewed, copied, or stored by others while it was public

Given our minimal data collection and anonymous operation for non-account users, some rights may be limited in scope. To exercise any of these rights, contact us at with the subject line "Privacy Request."

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

Categories of Personal Information Collected

  • Identifiers: Name, email address, IP address (hashed)
  • Internet activity: Browsing history on our Service, interactions with features, voting activity, submissions
  • Profile information: Bio, headline, profile photo

Your California Rights

  • Right to know: Request disclosure of the categories and specific pieces of Personal Information we have collected about you
  • Right to correct: Request correction of inaccurate Personal Information
  • Right to delete: Request deletion of your Personal Information
  • Right to opt-out of sale: We do not sell Personal Information, so this right is automatically satisfied
  • Right to non-discrimination: We will not discriminate against you for exercising your privacy rights
  • Right to limit use of sensitive information: We do not collect sensitive Personal Information as defined by the CPRA

We will respond to verified CCPA requests within 45 days. To exercise your California privacy rights, email us at with the subject line "CCPA Request."

12. Other U.S. State Privacy Rights

If you are a resident of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), or another state with applicable consumer privacy legislation, you may have similar rights to those described in Section 11, including:

  • Right to access your Personal Information
  • Right to correct inaccuracies
  • Right to delete your Personal Information
  • Right to data portability
  • Right to opt out of the sale of Personal Information (we do not sell your data)
  • Right to opt out of targeted advertising (we do not engage in targeted advertising)
  • Right to opt out of profiling (we do not engage in automated profiling that produces legal or similarly significant effects)

To exercise your rights under any applicable state privacy law, contact us at with the subject line "State Privacy Request." We will respond within the timeframe required by your state's law. If your request is denied, you may appeal by contacting us with details of your concern.

13. European & UK Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, the General Data Protection Regulation (GDPR) and UK GDPR provide you with additional rights.

13.1 Legal Basis for Processing

We process your Personal Information based on:

  • Contract performance: Processing necessary to provide the Service to you (account management, content display, portfolio features)
  • Legitimate interests: Operating and improving the Service, preventing abuse, ensuring security, and content curation (including virtual portfolios)
  • Consent: Where required by law, such as for analytics cookies and non-essential tracking
  • Legal obligation: Processing required to comply with applicable laws

13.2 Your GDPR Rights

Under the GDPR, you have the right to:

  • Access: Request a copy of your Personal Information
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your Personal Information ("right to be forgotten")
  • Restriction: Request restriction of processing under certain circumstances
  • Portability: Receive your data in a structured, commonly used format
  • Objection: Object to processing based on legitimate interests
  • Withdraw consent: Withdraw consent at any time where processing is based on consent
  • Lodge a complaint: File a complaint with your local data protection authority

13.3 Data Controller

Scribefully is the data controller for Personal Information collected through the Service. Sub-processors listed in Section 8 act as data processors on our behalf.

13.4 Virtual Portfolio GDPR Compliance

For EU/UK residents, virtual portfolios are created based on our legitimate business interest in content curation. All data is derived from publicly available sources. You have the right to request immediate removal before or after claiming your portfolio.

We will respond to GDPR requests within 30 days. To exercise your rights, email with the subject line "GDPR Request."

14. International Data Transfers

If you access the Service from outside the United States, your information will be transferred to and processed in the United States, which may have different privacy laws than your jurisdiction.

14.1 Transfer Mechanisms

For transfers of Personal Information from the EEA or UK to the United States, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable through our sub-processors
  • The EU-U.S. Data Privacy Framework (DPF), where our sub-processors are certified participants
  • Your explicit consent where no other mechanism applies

14.2 Security of Transfers

All international data transfers are protected by TLS 1.2+ encryption in transit and AES-256 encryption at rest. We ensure that our sub-processors maintain appropriate safeguards for cross-border data transfers.

15. Data Breach Notification

In the event of a data breach that affects your Personal Information:

  • Timeline: We will notify affected users within 72 hours of becoming aware of the breach
  • Method: Notification will be sent via email to the address associated with your account, and/or posted prominently on the Service
  • Content: The notification will include:
    • A description of the nature of the breach
    • The types of Personal Information involved
    • Steps we are taking to address the breach
    • Steps you can take to protect yourself
    • Contact information for follow-up questions
  • Regulatory notification: We will notify relevant supervisory authorities as required by applicable law, including under the GDPR (within 72 hours) and California Civil Code §1798.82

16. Use of Artificial Intelligence

16.1 Current AI Usage

The Service uses automated tools to fetch and parse metadata from URLs you submit, including extracting titles, descriptions, and preview images from linked web pages. This process is server-side and automated but does not involve large language models or generative AI systems.

16.2 No Training on User Data

We do not use your Personal Information, submitted content, or any data you provide to the Service for training artificial intelligence or machine learning models.

16.3 Future AI Features

If we implement AI-powered features in the future, we will update this Privacy Policy and our Terms of Service with clear disclosure of what data is used and how, and provide opt-out mechanisms where feasible.

17. Do Not Track Signals

We honor Do Not Track (DNT) signals sent by your browser. When we detect a DNT signal, PostHog analytics tracking is disabled for your session. Essential cookies required for authentication and core Service functionality are not affected by DNT signals, as they are necessary for the Service to operate.

There is currently no universal standard for how companies should respond to DNT signals. Our approach is to respect DNT by disabling non-essential analytics tracking.

18. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect Personal Information from anyone under 18. If we become aware that we have collected Personal Information from a person under 18, we will delete such information promptly. If you believe we have inadvertently collected information from a minor, please contact us immediately.

19. Third-Party Links

The Service contains links to third-party websites and content. This Privacy Policy does not apply to third-party sites. We are not responsible for the privacy practices, content, or security of any third-party websites. We encourage you to review the privacy policy of every site you visit.

External Link Previews

When you submit URLs, our server fetches public metadata from the linked websites. This involves:

  • Automated scraping of publicly available metadata (title, description, image)
  • Temporary storage of preview data in our database
  • No access to password-protected or private content
  • Standard HTTP requests with browser user agent information
  • Target websites may log these requests according to their own privacy policies

20. Changes to This Privacy Policy

We may update this Privacy Policy periodically. When we do:

  • We will post the updated policy on the Service
  • We will update the "Last Updated" date at the top of this page
  • For material changes, we will notify registered users via email at least 30 days before the changes take effect
  • We will provide a summary of changes in the notification

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, you must stop using the Service.

21. Contact Information

For privacy-related questions or to exercise your rights, contact us at:

Please use the following subject lines to help us route your request:

  • "CCPA Request" — for California privacy rights requests
  • "GDPR Request" — for European/UK privacy rights requests
  • "State Privacy Request" — for other U.S. state privacy rights requests
  • "Privacy Inquiry" — for general privacy questions

Marin County, California, United States

This Privacy Policy should be read in conjunction with our Terms of Service.